From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qg0-f65.google.com ([209.85.192.65]:33133 "EHLO mail-qg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757333AbcCaQD4 (ORCPT ); Thu, 31 Mar 2016 12:03:56 -0400 From: Johan Hovold To: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, Oliver Neukum , Oliver Neukum , stable@vger.kernel.org, Johan Hovold Subject: [PATCH 1/3] USB: mct_u232: add sanity checking in probe Date: Thu, 31 Mar 2016 12:04:24 -0400 Message-Id: <1459440266-17193-2-git-send-email-johan@kernel.org> In-Reply-To: <1459440266-17193-1-git-send-email-johan@kernel.org> References: <1459440266-17193-1-git-send-email-johan@kernel.org> Sender: stable-owner@vger.kernel.org List-ID: From: Oliver Neukum An attack using the lack of sanity checking in probe is known. This patch checks for the existence of a second port. CVE-2016-3136 Signed-off-by: Oliver Neukum CC: stable@vger.kernel.org [johan: add error message ] Signed-off-by: Johan Hovold --- drivers/usb/serial/mct_u232.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c index 4446b8d70ac2..885655315de1 100644 --- a/drivers/usb/serial/mct_u232.c +++ b/drivers/usb/serial/mct_u232.c @@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port, static int mct_u232_port_probe(struct usb_serial_port *port) { + struct usb_serial *serial = port->serial; struct mct_u232_private *priv; + /* check first to simplify error handling */ + if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { + dev_err(&port->dev, "expected endpoint missing\n"); + return -ENODEV; + } + priv = kzalloc(sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM; /* Use second interrupt-in endpoint for reading. */ - priv->read_urb = port->serial->port[1]->interrupt_in_urb; + priv->read_urb = serial->port[1]->interrupt_in_urb; priv->read_urb->context = port; spin_lock_init(&priv->lock); -- 2.7.3